[riot-notifications] [RIOT-OS/RIOT] gnrc_tftp: Fix out-of-bounds memory access when comparing modes (#11737)

nmeum notifications at github.com
Sun Jun 30 23:05:47 CEST 2019

nmeum commented on this pull request.

> @@ -1047,6 +1047,10 @@ int _tftp_decode_start(tftp_context_t *ctxt, uint8_t *buf, gnrc_pktsnip_t *outbu
     /* decode the TFTP transfer mode */
     for (uint32_t idx = 0; idx < ARRAY_LEN(_tftp_modes); ++idx) {
+        if (_tftp_modes[idx].len > (inpkt->size - sizeof(*hdr) - fnlen)) {

No, I strongly disagree. Just because the RFC requires valid messages to use null-terminators for strings doesn't mean that an attacker can't forge a malicious message without terminating null bytes.

Since the packet buffer itself doesn't seem to be terminated with a null byte using a string function on it might result in an out-of-bounds read, reading memory of other packets in the pktbuf.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190630/c94fea23/attachment.html>

More information about the notifications mailing list